protecting config.ini

[aoloe]

it's not a good idea to use an .ini file for the configuration and placing it in a directory served through http.

browsing to config/config.ini on your demo server shows your database credentials. depending on the way your server, database and db user are setup i can directly access your other databases or inject malware in your database.

adding RewriteRule ^config/? index.php [L] to the .htaccess file makes the config files unreacheable through http. not a bullet proof solution, but it would make a default (well working) instance safe. it would be also good to add a notice in the README, telling the users to move the config file out of the directories served by http (and show them how to modify the index.php to achieve it).

and that being said, thanks for the nice tool! i'm going to test it a bit during the next few days.

[mwozniak]

You have right, the project shows only possibilities of F3 framework. In the demo you can connect to the database only from localhost. It is a bad idea to keep the server side files in the /public_html/ directory any many others security issues of F3 framework. The Bookmark Manager has been completely rewritten in Laravel framework, see it in action: http://www.eduhub.io